BAD NEWS, GUYS. A big bad news for every OnePlus 5T User who has updated their software to Oxygen OS v5.0.2 Stable Oreo Update recently. You most probably got a spyware installed on your device. And I personally own a OnePlus 5T and have become a victim of the same recently.

In fact, the possible spyware has access to one of the core utilities of your phone, with some mysterious permissions. The potential harm it can cause with it is really alarming.

First things first, there is a solution to it. But that really doesn’t make me feel safe, as some deep-rooted spyware may be still on my device which maybe nobody can notice easily.

There has been quite a few news recently about OnePlus spying on User Data without their consent. I really didn’t pay any heed to it, as I didn’t notice it myself. But this time, it left me surprised.

Dear OnePlus, Why do you make me feel pissed off always? -_-

Anyways, I am just going to tell you what’s its all about, and How did I notice it in the first place.

How did it begin?

Before I begin, here’a note for all of you: Don’t use this article alone to judge the OnePlus brand. I have been a user of OnePlus since OnePlus 3 and I am following them since OnePlus One. They have a lot of good stuff than bad. And no smartphone manufacturers are 100% okay. You need to judge it by yourself. Everything I stated here is based on my findings, nothing else 🙂

I live in India, and, as always, we get OnePlus Oxygen OS updates quite a few days after the actual release. They call it phased rollout, by which the update rolls out gradually to users worldwide. Good thing.

But, there’s a tweak to get your updates instantly (or within some hours) after it gets released. That is, by using any VPN service.

A VPN (or Virtual Private Network) is used to hide your IP Address and Change it to some other country’s IP so that you appear to be browsing from another country. Alternatively, it can change your device location to any place.

So you can just use any VPN App to change your location to any country which gets the updates before others, like Germany or Canada. Once you do that, you can search for available updates, and it will show you if an update is available. Once you get that, simply disable your VPN and start downloading it with your normal internet connection, as a VPN may have speed limitations.

So, when I got to know about the Stable Oreo Update release for OnePlus 5T, I was very excited and decided to go the VPN way to grab it ahead.

I used Turbo VPN, which is a Free VPN App. All I needed is just a VPN Connection for a minute or so, during which I can go to my Settings and Search for the available update, then close the VPN and proceed to download it. I have done this many times previously, and it didn’t affect my device in any way. It is a safe process.

So on 31st January 2018 at around 9 pm, I searched for available updates using VPN and got the Oreo Update Package with OnePlus v5.0.2. It was around 1.5GB in Size. I downloaded it and installed it.

Surprisingly, the installation process was very quick, even for that huge update, including Android Version Upgrade. It took me 5 minutes to install.

I didn’t clear any data, it was a dirty flash, though handled by the Official OTA Installer. I didn’t have to do a thing.

The first thing I noticed right after the installation was that my already-buttery OnePlus 5T have become more fluid. I could feel it myself. The swiping, pressing button latency etc were much better than Nougat. I faced no hanging issues or force close issues with any of my apps, I have around 80+ Apps and Games installed.

The Problem Starts Now:

Next day, 1st February 2018 morning, I got up and saw a weird app named MKey on my Application List. I recall clearly that I haven’t installed any such apps earlier and it wasn’t there yesterday on my Nougat ROM.

So the only way that unknown App ‘MKey’ got itself installed on my device is by this Oreo Update. It definitely came with the ROM Package.

Now comes the question, is it an official app?

At first, I thought it is some official app and decided to try it out. I opened it.

It shows a splash screen like this, that says: Unlock your Smartphone Keyboard.

Judging by the icon in the middle, you can say it is a Keyboard App.

But, the fonts, the colors, the icon, nothing suggests that such an app was built by OnePlus themselves.

So, was it from a third party? So, OnePlus is installing some third-party keyboard?

The next thing it did was more surprising. A popup loaded asking for my permission to make it my default Messaging SMS App.

Why? Just why would some app try to become my default SMS app, in spite of OnePlus having their own SMS?

Exploring MKey App Features:

So, I decided to try out the app once. I made it my default Messaging App. It asked for some really fishy permissions, including drawing over other apps permission. Coming to that part later. Anyways, finally, I saw the SMS app main screen. It contained my received SMS list.

Now, in the settings of the app, it asked me to set up MKey Keyboard. Just like we enable other keyboards from settings, it needs to be enabled from settings, from the Manage Keyboard section.

Their keyboard had many Indian Languages support. But, why would that app come bundled with OnePlus?

This smelled fishy to me. So, what is this app doing with so many permissions?

To be exact, here are the permissions it wanted.

Camera, Contacts, Location, Phone, SMS, Storage, it took all the permissions 🙂

I can understand Contacts, Phone, SMS and Storage feature, but why Camera Permission?

This made me more suspicious. So, is MKey App secretly spying on you?

And it also got the permission to Draw over other Apps!

To summarize it, I had an app that came with OnePlus Oreo Update, named MKey. It was a third party app, unofficial and not made by OnePlus. It had a keyboard that can record anything I type. It had camera permissions. And, above all, it had become my default SMS App. So, every SMS I receive, including that of any Banking SMS, or any Transaction SMS, is all received by this app. This is very strange.

Finally, you can block cookies, by not allowing your browser to accept cookies. So, that means they will directly collect cookies from your browser, like Chrome and the only way to stop it is to ask your browser to stop recording cookies. (Wow!)

More Shady Stuff about MKey:

I looked at OnePlus Forums and there was a Threadrelated to that specific apk. I also found a Reddit Thread.

And I realized it wasn’t me alone, other users have faced it too.

And I came across some really shocking points. I have listed them below.

People who have faced it mostly used VPN for Downloading their OTA. So, some users tried saying that it may be some VPN issue. But why on earth should a VPN be responsible for installing such an app?

People who have downloaded the ROM via Official OTA without using any VPN also got it. So, the VPN theory didn’t stand.

Also, there were users who have updated or without VPNs and DID NOT GET ANY SUCH APK.

Some of those users who didn’t get the MKey Apk initially, got that apk soon after they restarted their device or rebooted.

But even then, there were users, who didn’t get the MKey apk initially, also didn’t get it after any such rebooting.

So, at the end, no strong theory could be placed on the source for installing that app. Some people got it. Some people didn’t get it. It was so fishy and shocking at the same time.

The next strange thing about MKey is about what it does: SMS and Keyboard, both of which are covered by Google and OnePlus already. OnePlus has their dedicated SMS App. Why would they need another third party app for that, which doesn’t look so attractive?

OnePlus Staff Explanation:

The issue was explained by a OnePlus staff Adam Krisko on 1st February 6 am on that Forum.

He said this:

The MKey APK is a font resource that was provided officially for India for local font compatibility needs. This can be uninstalled by users if not needed or wanted, but we are required to provide it.

Okay, at least OnePlus recognizes it. So, indeed it was bundled with OnePlus and had nothing to do with VPN and stuff. So, the source can be traced at least.

But, then comes the next series of questions?

Why does the app track everything we do with our device?

Why would they need to bundle such an app with mysterious permissions when they already have SMS Apps of their own? Regarding the font compatibility, OnePlus supports all regional local fonts.

So, why is OnePlus installing that? Why did he say that ‘they are required to provide it’? Who gave such requirement instructions?

Why does that app work only when we set it as the default SMS App?

Why does it need camera permission or location permission even as an SMS App?

Why didn’t OnePlus mention about that app in their OTA What’s New section? Are they trying to hide something?

What information does the app share with OnePlus or other third parties? Is it anonymous or identifiable?

Does the app store any information on their own server or just locally?

Why didn’t some user not get the app? Why such anomaly in distribution?

Why do only OnePlus 5T users getting this App on Oreo? What about OnePlus 5 or OnePlus 3/3T Users?

And finally, why bundle the app with an OTA Update? Why not put the app to Play Store instead?

The questions continue even now. And it is getting fishier. And with those strange policies, the only thing I would suggest you right now is Uninstalling MKey App from your OnePlus 5T Oreo Build Oxygen OS v5.0.2.

But, I am still skeptical about it. What if some spyware is still on my device and cannot be located?

Another shocking thing here is that the App will come back if you do a Factory Reset, just like it came at the first time. So, I am not at all satisfied.

What to do if I haven’t Upgraded to Oreo on OnePlus?

First and foremost, let me confirm this: Whether or not OnePlus gives a reason for bundling the MKey App, I am confident that the App isn’t required by us at all, for any purposes. Especially when OnePlus has their default messaging app.

So, essentially, you will need to get rid of that app.

If you are not worried about any sensitive data breach, you can simply upgrade to Oreo (no matter you use VPN or not, it is gonna come), and then Uninstall the MKey app right away, without even trying to open it.

I cannot digest the fishy permissions it asks. No, you don’t need it, and I won’t suggest you keeping the app as long as OnePlus doesn’t give a firm reason for that. So, Uninstall it right away.

But, like I said, I am still worried about any hidden spyware inside my device, if you worry about that, or if you have sensitive data inside your device, don’t upgrade. Just remain on Nougat. To be honest, Nougat is smooth and performance wise, you can do pretty much anything on it.

So, just keep using Nougat for some more days until more information is discovered regarding the same.

OnePlus Previous Privacy Breach Incidents:

This isn’t the first time OnePlus is doing this. It has done this earlier also.

At first, some Engineer Mode backdoor vulnerability was left inside OnePlus. After that, OnePlus Clipboard app was discovered sending data to China. And soon after, the OnePlus website came under a Credit Card phishing attack.

Even earlier, OnePlus was caught by XDA for manipulating Performance Score Results. OnePlus apologized to it later on.

So, time and again, OnePlus has been around with some good amount of negativity.

Just like a good company should receive all the praise it deserves, these kinds of experiences also needs to be reported so that no further incidents occur. Hence, I thought of writing up this article for you all. I hope I was able to convey everything about the app to you.

Last Words:

Well, I am a OnePlus user myself and I still love using my OnePlus 5T more than anything. It is a powerhouse, I feel proud to use it. And I never get satisfaction using any other device, other than OnePlus. So, how can imagine how hard is it for me to go through all of this?

But that does not mean I will ignore this issue. It is serious and is potentially harmful to your device, hence letting you know all of this.

Don’t forget to share this post with every OnePlus 5T User and make them aware of it. Use the social share buttons below.

Thank you for reading. See you soon with another interesting update. 🙂